Daemon
3-30-08, 12:01 AM
(Typing this up while on hold to support, so it's a long story.)
So last night I go to refer someone to one of the videos on my site, and
discover that they're *all* gone. Virtually every .AVI, .WMV, .MPG, .MPEG, .MOV.
file I've ever created was deleted. All html and php files remain unmollested,
all image files are still there, but several gigabyte of original content
videos (videos of auto racing, R/C hobby related and misc stuff, all copyright *me* )
all gone.
If my site was hacked, it's certainly not your typical hack, where
they mess with a few things, and replace the home page. No this was
a very specific deletion of all the largest files on the site. To do this
through the ops panel File Manager would have taken forever, because there's no
way to filter on only the video files and leave all the rest. You'd have
to select all, and then unselect the htm/html/php/jpg/gif.. etc..
delete, move on to the next dir.. etc. Seems a heck of a lot more like
something someone would do from a unix shell.
I did a full recursive directory listing of my site from the home dir
with a php script, and then began the restore process from the last NetApp
snapshot in Backup/Restore manager in ops panel. After it was finished (took at
least an hour), I did another recursive directory listing and did a detailed unix diff to
see if I could find any signs of modified files that might indicate someone
hacking through a php script or something. Nothing. Aside from several
hundred deleted videos and some Gallery1.x dat files which store hit counters, no
other file has been modified anywhere else on my site. I changed all my
passwords, and finally today got around to downloading the access log.
One thing dominates most of the access log. About a zillion 404 errors (46,050 to
be exact) from a single web spider trying to download all my videos. I go back to the
very first instance of that spider's IP in the logs and see this.
125.236.157.191 - - [28/Mar/2008:09:40:32 -0400] "GET /videos/misc/ HTTP/1.1" 20
0 45273 "http://www.google.co.nz/search?q=%22intitle:index+of%22+avi+avi&hl=en&s
tart=80&sa=N" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.13) Geck
o/20080311 Firefox/2.0.0.13"
So this is clearly a private individual (not a robot, so wouldn't respect robots file if I
had one). That Google search brought them to my site, and then the logs show them
going back to my top level page, indexing every page and file on the site
and then it proceeds to try to download every avi, wmv, mpg, mov, etc
simultaneously.
Roughly 13,000 successful hits later in the access log (I don't have 13,000 videos.
Big files are usually downloaded in many pieces), a strange thing happens.
Everything goes from normal 200 responses, to 404's (file not found).
Something/someone has deleted all the video files that this spider is trying to
download at virtually the same moment. 46050 more 404's from this one spider
follow, all throughout the day and it gave up around 6pm. I performed the
restore some time later that night, and see normal traffic in the access log.
I scoured the log looking for any abnormal hits to .php scripts that one would
have to use to hack into the account, and there are none. One moment
the files were there, the next they weren't. There is nothing in
the access log during that interval, other than the spider trying to download
all the files.
Here's my hypothesis. An admin at Powweb saw this huge number of
simultaneous connections inbound to my web site, and a largish amount of data going
out to a single IP. But instead of doing what I'd consider the most logical thing (blocking
that one IP either at the firewall, or by throwing that IP into my .htaccess file
in a Deny rule), instead they simply deleted all the files that they were trying
to access. But I received no email notifications from support or admins.
I've violated no terms of my user agreement with Powweb. Haven't exceeded my
file storage or bandwidth. All content is original to me.
I just now finally got through to support, explained what I've written above,
showed them the access log, and they said (paraphrased) "There are no auto generated
notices attached to your account. We have no record of anyone doing anything.
Your account has not been suspended. There's nothing else we can do."
Great, swell.
Anyone else ever see anything like this? If it weren't for the log of the
web spider trying to download all the files at once, I'd write this off as a
random "account hacked" incident, and continue to scratch my head as to how
they got in, but I have to think that 13253 hits on couple hundred large files
simultaneously over a 2.5 hour period *had* to throw up a flag at Powweb
operations and that it's no coincidence that the files that all disappeared at the same
moment, are also the same files that the spider was trying to download.
ian
So last night I go to refer someone to one of the videos on my site, and
discover that they're *all* gone. Virtually every .AVI, .WMV, .MPG, .MPEG, .MOV.
file I've ever created was deleted. All html and php files remain unmollested,
all image files are still there, but several gigabyte of original content
videos (videos of auto racing, R/C hobby related and misc stuff, all copyright *me* )
all gone.
If my site was hacked, it's certainly not your typical hack, where
they mess with a few things, and replace the home page. No this was
a very specific deletion of all the largest files on the site. To do this
through the ops panel File Manager would have taken forever, because there's no
way to filter on only the video files and leave all the rest. You'd have
to select all, and then unselect the htm/html/php/jpg/gif.. etc..
delete, move on to the next dir.. etc. Seems a heck of a lot more like
something someone would do from a unix shell.
I did a full recursive directory listing of my site from the home dir
with a php script, and then began the restore process from the last NetApp
snapshot in Backup/Restore manager in ops panel. After it was finished (took at
least an hour), I did another recursive directory listing and did a detailed unix diff to
see if I could find any signs of modified files that might indicate someone
hacking through a php script or something. Nothing. Aside from several
hundred deleted videos and some Gallery1.x dat files which store hit counters, no
other file has been modified anywhere else on my site. I changed all my
passwords, and finally today got around to downloading the access log.
One thing dominates most of the access log. About a zillion 404 errors (46,050 to
be exact) from a single web spider trying to download all my videos. I go back to the
very first instance of that spider's IP in the logs and see this.
125.236.157.191 - - [28/Mar/2008:09:40:32 -0400] "GET /videos/misc/ HTTP/1.1" 20
0 45273 "http://www.google.co.nz/search?q=%22intitle:index+of%22+avi+avi&hl=en&s
tart=80&sa=N" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.13) Geck
o/20080311 Firefox/2.0.0.13"
So this is clearly a private individual (not a robot, so wouldn't respect robots file if I
had one). That Google search brought them to my site, and then the logs show them
going back to my top level page, indexing every page and file on the site
and then it proceeds to try to download every avi, wmv, mpg, mov, etc
simultaneously.
Roughly 13,000 successful hits later in the access log (I don't have 13,000 videos.
Big files are usually downloaded in many pieces), a strange thing happens.
Everything goes from normal 200 responses, to 404's (file not found).
Something/someone has deleted all the video files that this spider is trying to
download at virtually the same moment. 46050 more 404's from this one spider
follow, all throughout the day and it gave up around 6pm. I performed the
restore some time later that night, and see normal traffic in the access log.
I scoured the log looking for any abnormal hits to .php scripts that one would
have to use to hack into the account, and there are none. One moment
the files were there, the next they weren't. There is nothing in
the access log during that interval, other than the spider trying to download
all the files.
Here's my hypothesis. An admin at Powweb saw this huge number of
simultaneous connections inbound to my web site, and a largish amount of data going
out to a single IP. But instead of doing what I'd consider the most logical thing (blocking
that one IP either at the firewall, or by throwing that IP into my .htaccess file
in a Deny rule), instead they simply deleted all the files that they were trying
to access. But I received no email notifications from support or admins.
I've violated no terms of my user agreement with Powweb. Haven't exceeded my
file storage or bandwidth. All content is original to me.
I just now finally got through to support, explained what I've written above,
showed them the access log, and they said (paraphrased) "There are no auto generated
notices attached to your account. We have no record of anyone doing anything.
Your account has not been suspended. There's nothing else we can do."
Great, swell.
Anyone else ever see anything like this? If it weren't for the log of the
web spider trying to download all the files at once, I'd write this off as a
random "account hacked" incident, and continue to scratch my head as to how
they got in, but I have to think that 13253 hits on couple hundred large files
simultaneously over a 2.5 hour period *had* to throw up a flag at Powweb
operations and that it's no coincidence that the files that all disappeared at the same
moment, are also the same files that the spider was trying to download.
ian